15 Best Anti-Rootkit Tools to Remove Malware [2023 List]
Unlike the previous list of antirootkit detection tools which is meant for average computer users to automatically recognize rootkit infections and offer to remove them, the 5 free utilities below are meant for advanced users to manually analyze hidden processes, drivers, registry keys, files, startup entries, services, scheduled tasks, ring0 and ring3 hooks, etc and self determine if the items are safe or malicious. Other than using them to detect rootkits, it can also be used to find other malware such as trojan, rogueware, worms and viruses.
11. AntiSpy
AntiSpy is a new portable tool that the first version was released early 2013 and a new version has been released every month. The official website is in Chinese but the program is fully in English. Running the executable file will open up a window with a couple tabs allowing you to view both visible and hidden items.
As you can see from the AntiSpy screenshot above, a process colored in red is found to be suspicious and right clicking on the item provides many options to investigate or take action such as kill and delete file. The registry, service and autostart tab is worth looking at because you are able to delete protected registry keys that cannot be done from regedit.exe, view hidden services that don’t show up in services.msc and reveal hidden items that autostart with Windows. As good as it is, AntiSpy is short of a low-level file browser to view hidden files and folders.
12. GMER
GMER has been around since 2006 and is still being actively developed today with full 64-bit support. An advantage in GMER is it will automatically start a quick scan upon running to find system modification which might have been caused by rootkit activity.
We found that GMER is more of an analyzer rather than a tool to remove antirootkits because you can only kill process but without an option to delete running processes, modules, registry keys and autostart items. The “Files” tab where you can access your files from in an Explorer-like interface also doesn’t seem to show files and folders that are hidden by rootkits.
13. NoVirusThanks Anti-Rootkit
This anti-rootkit tool by NoVirusThanks is free for non commercial use and is recommended to be used by experienced users because the program shows a lot of technical information especially code hooks although the less experienced users can still run a quick scan on the Quick Report tab to find any process that runs hidden and is labeled as suspicious. There is a “Hosts File” tab which is often ignored by most antirootkit tools to check if it has been modified by malware block security websites.
The program requires installation and works from Windows 2000 to 7 on 32-bit only.
Download NoVirusThanks Anti-Rootkit
14. PC Hunter
PC Hunter is a free anti-rootkit that is developed from XueTr (also an anti-rootkit tool) that comes in both Free and Pro version. Compare to the rest, PC Hunter seems to have the most options to view processes, kernel module, ring0 and ring3 hooks, network connections, startup info, file association, firewall rules, and even useful tools like a registry editor, file manager, safeboot repair, enable disabled registry and task manager.
If you’re stuck with interpreting the results, it is possible to generate a report from the “Computer Examination” tab, export it to a external text file and send it to an expert to get help in identifying rootkits. PC Hunter works from Windows 2000 to 8 and even has a special 64-bit build that can be used from Windows 7 x64 onwards.
15. PowerTool
PowerTool is not just another rootkit analyzer tool because it has its own unique features. Other than viewing hidden process, kernel module, hooks, file, registry, startup items, services and network connections, some of the useful features found in PowerTool are showing the status of item that are normally disabled by malware from the System > Repair tab.
The loophole tab shows the critical patches that isn’t installed on your Windows operating system and the hardware tab analyzes the basic hardware on your computer together with the CPU, hard drive and video card temperature. The PowerTool for 32-bit is currently at version 4.3 while you should download the version 1.2 if you’re looking for the 64-bit. During testing we occasionally experienced the program crashing with a runtime error.
Additional Tests: There are some standalone offline on-demand malware scanners offered for free usage by antivirus companies that claims to detect rootkits. We’ve tested COMODO Cleaning Essentials, Dr.Web CureIt!, F-Secure Safe Easy Clean, Sophos Virus Removal Tool, VIPRE Rescue and VirIT eXplorer Lite but unfortunately none of them detected any of the 3 rootkit keyloggers installed on our test system.
Final Note: No matter how user friendly or easy it is to use the anti-rootkit tools, you must use it with care to avoid wrongly disabling an important process/driver that may cause Windows not to boot up properly. Always get advice from tech support forums or perhaps send the suspicious file to antivirus companies using X-Ray to get confirmation if the file is a rootkit.
perhaps winpatrol war. and winpatrol has a hidden folders viewer that might turn something up.
i would be curious if your samples would be visible in winpatrol. it has a tab for viewing “hidden” process etc.
Very nice and great post.thanks for sharing.
This is interesting finding, especially none of the so-called-simple tools are able to detect all of them; unless you are using the manual / advanced methods
1. Nice work. I hope you will provide n update on whether any of these tools find your three test cases 1 month and 3 months later.
2. Your original testing is critical but the reviews would be greatly enhanced by a incorporating recent results from elsewhere (e.g., how did TDSS Killer do in av-comparatives, av-test, or PC Mag)
3. As you note, some of the tested tools have not been updated in years so I don’t really see the point in testing those when you did not test several other tools that are more current.
4. I recently looked at RogueKiller. It has been around for awhile but now has a GUI. The site and documentation are in French but (slightly rough) English translations are available. RogueKiller is firmly in the advanced user camp. Some of the repairs are a bit heavy handed: options other than all or nothing are sometimes lacking.
RogueKiller checks for rootkits, rogue processes, rogue registry entries, rogue or untrusted drivers, and master boot record (MBR) modification. RogueKiller can even restore the Host file, delete Proxy entries, and repair shortcuts. Some features rely upon white and blacklists. Be _very_ careful.
Thank you verry much…
thaks
Hello Ray,
Nice article.If you remember,there was a toolkit called AVZ(sorry,I don’t have any links,it is a Russian anti-malware which was later bought by Kaspersky).
Any chance you can try this?
dind’t knew about norton anti-rootkit, i have added it to my setup
thank you raymond, great review.
Ray,could you please test emsisoft toolkit and let us know what happened with the detection?Thank you
Hi joe, I’ve tested Emsisoft Toolkit and it only found one of the rootkit through signature. Another rootkit was partially detected because only the log file was being flagged but not the driver. The official website did not state anything about detecting rootkits which is why I did not include Emsisoft Toolkit.
Thanks for this info !!
Have you heard about this new AntiRootkit Remover called: OSHI Unhooker?
Have you tested it?
Hi Icaro, yes in fact I’ve already tested OSHU Unhooker but did not include it since it is not fully automated and failed to detect all 3 rootkits.
This is a really great test Raymond. It looks to me like none of these company’s are taking root kit detection very seriously, it looks like we will have to use multiple programs to do a reliable root kit scan on our systems. I thought for sure at least a couple of them would get it right. Bit Defender and Kaspersky were a big surprise to me, I thought they would both do pretty well.
Ray Any opportunity to see how MS’s MRT or Safety Scanner does against these three would be much appreciated.I think those are two of the most overlooked,and effective free tools with root kit removal capability available to date.
hi reym,
this is manoj from india appreciate your artical everytime followed last 4 5 yrs
thanks for posting such wonderful information free
Hi,
Nice test, but you missed a lot of things here.
Which settings you used before the tests, there are the results from the scan etc.
TDSSKiller can be configured to detect unknown services
i.imgur.com/Sbf88.png
Aswar is really old. I prefer Gmer or AswMBR for bootkits.
Bitdefender created many tools for rootkits detection but they left them behind and they didn’t implemented them in one product as Kaspersky did with TDSSKiller.
HitManPro can be configured to scan with EWS
i.imgur.com/vU2W6iV.png
However you should be very careful when using HitManpro, because sometimes he can’t repair the BCD settings properly and the system will become unbootable.
You tested McAfee Rootkit Remover which is only for ZeroAccess and not McaFee Rootkit Detective?
Norton Power Eraser gives a lot of false positives.
Unhackme is not so good. The most of the time you should use RegRun Warrior CD to get the job done. Not very good for shareware.
Gmer can delete files and services…you can use batch files for that purpose.
For example:
gmer.exe -del service gasfkyeydxlkaw
gmer.exe -del reg “HKLMSYSTEMControlSet001Servicesgasfkyeydxlkaw”
gmer.exe -del file “%systemroot%system32driversgasfkyktfoqdtk.sys”
gmer.exe -del file “%systemroot%system32gasfkywsp8y.dll”
gmer.exe -del file “%systemroot%system32gasfkyyicofjwf.dat”
gmer.exe -del file “%systemroot%system32gasfkycpoyvxdq.dll”
gmer.exe -del file “%systemroot%system32gasfkyjktjolda.dat”
gmer.exe -del file “%systemroot%system32gasfkyetodsrmt.dll”
gmer.exe -del file “%systemroot%system32gasfkybgdkopjo.dll”
gmer.exe -reboot
The following products are missing as well:
Win64AST, avirarkd (Avira anti-rootkit), Vba32 AntiRootkit, SysProt, Rootkit Unhooher 3.8.388.590, RootRepeal, SanityCheck Home Edition (x64), Dr.WebCureIt (has a built in anti-rootkit), f-secure blacklight (yes it’s old but AVG anti-rootkit is old as well, so it can be included). :)
The other tools can be found here:
kernelmode.info/forum/viewtopic.php?f=11&t=10
Anyway, thank you for the test. It was interesting to read it with my coffee. :)
Keep up the good work!
Regards,
Georgi
after along time… thank you for this nice article… i am using emsisoft malware for quite sometime…what are your ratings for this one raymond…
Thanks for the update!!!
Good rule of thumb I always say, is that when you have names like dhdbiquxyt.exe, you know you have something bad in there.
Ray, have you tried Sophos Rootkit Remover? curious to see the results of the rootkits you tested.
Jim, the Sophos Rootkit Remover redirects me to their free Sophos Virus Removal Tool which failed to detect all 3 keyloggers. Check the “Additional Tests” information found on the end of the second page.
Thank you very much !
The best is UnHackMe.
Hi Raymond, I understand that GMER has been integrated with AVAST, but you can download GMER zip/exe from the GMER website and it’s being constantly updated. Is it the same one that AVAST is using or is it different? If different, could you test it out as well please?
Thanks for all the hard work! Malaysia Boleh!
Hi Mark, the guy who created GMER works for AVAST which is why the “technology” in detecting rootkits used by GMER is integrated into AVAST products.
Appreciate this article.
Thank you!
I need this software!
Great posting Raymond. Really appreciate all the hard work that has gone into this article on AntiRootkits. Sure saves me (and others) a lot of time surfing the net only to find skewed opinions! Your final note is very apt and a friendly reminder to tread with care when using these tools – as you so eloquently state “No matter how user friendly or easy it is to use the anti-rootkit tools, you must use it with care”. Your testing of various tools in this regards makes the job that much easier. Thanks again and keep up the fantastic work on this site…
Useful test Ray, very useful.
Thanks a bunch Ray!
A very useful posting Raymond – Thank you.
Appreciate this article. Thanks!
Now that is a really good post Ray!
I love the post in which you test a software for us!
I guess in November you tested all the antivirus to find out the best and you said Avira is the best free antivirus so I switched to that!
Thanks.
As usual great test from Ray.
thanks raymond
good info
Nice article, thanks for giving us links for many Antirootkits, it will be good for us, to keep at least one of these products in our computer and USB. Thanks,,,,,,,,